Networking

P2P networks share business data along with music

Is it possible that your corporate data is being shared on a P2P network, despite policies that would prohibit such a thing? InformationWeek's Avi Baumstein decided to find out what he could find using LimeWire on the popular Gnutella site. Before you decide that it couldn't happen to you, read what he found.

In an effort to see just what could be harvested from a P2P network, reporter Avi Baumstein of InformationWeek went on a fishing expedition. The results were surprising and should be seen by system administrators at the corporate level as a cautionary tale.

Using LimeWire Pro on the Gnutella network, Avi ran high level searches on a number of generic terms such as "audit," "RFP," "proposal," and "minutes" and limited the return to documents. While the first attempt yielded only a few results, the second attempt was more promising. Using LimeWire's navigational tools, he discovered the files of a consultant for a major accounting firm along with some really bad music. Those files included internal audit plans as well as the financial results from a few companies.

From InformationWeek:

Giddy from my quick success, I tried other search terms and slogged through dozens of computers full of tailings such as High School Musical and Fall Out Boy, until I entered "ssn" for Social Security number. LimeWire, which displays the IP address of the computer hosting each file a search returns, showed an entire page of results for ssn, all with the same IP address. Using "browse host," I discovered a mother lode of bank passwords and credit card numbers, a few dozen files labeled as Equifax credit reports, and a handful of tax returns.

I'd stumbled upon what's known as an information concentrator. These are people who do what I was doing -- troll the P2P networks for files with personal data. But their intentions are far more sinister -- typically identity theft. Most likely this person was inadvertently re-sharing the confidential information he had found, making the same mistakes with P2P that his prey had made.

While most businesses have regulations in place to regulate or outlaw the uses of P2P on company machines, they do business with vendors whose security policies may not be as stringent. This opens the company's information to potential risk if the vendor uses P2P and has set global sharing.

Your company very likely has policies in place to avoid this situation, but do you have vendor agreements that limit how your company information will be managed? And even if you do, how would you go about checking for compliance? I know of a company that has very stringent rules about how they manage security, but they allow outside contractors to use their own equipment on the corporate network. That company deals with financial information. The same is true of a local insurer. So policy aside, how safe is your network?

More information:

Your Data and the P2P Peril (Information Week)

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

45 comments
The Listed 'G MAN'
The Listed 'G MAN'

is a protocol yes. Therefore it should be treated as one regardless off the application that is using it. If I was to mis-configure a server using SMB that gave away data, how it this any worse then P2P? We should be looking at our configurations and not the protocol.

praseo
praseo

As far as I know, no corporates in India allow the use of P2P in the office. And regarding sharing of confidential documents, consistent audits make sure such employees are penalized for their misconduct.

chris_thamm
chris_thamm

Any company STUPID enough to install ANY P2P software gets exactly what they deserve. We have a very simple policy -- ANY unauthorized software found on your computer means you're fired on the spot. Period. After letting 12 people go the first week the policy was in effect, there have since been zero problems.

Jaqui
Jaqui

You can find full application cd images on them. As much as compnies will not want to admit it, even with policies in effect against such use, it will most likely be happening. the best solution, the company "allows" one p2p client app to be used, and th IT department installes and configures it properly for keeping confidential data secure. [ added benefit, the app can be configured to not allow content not approved, such as porn. ] best as in keeping the company data secure from being shared by company employees. There is nothing that you can do with reguard to those companies you do business with, other than suggesting they too adopt the policy and only allow one p2p app, and have it locked down by the IT department to keep confidential data secure.

Tig2
Tig2

We are all careful about our home security. At least most of us are reasonably careful. As IT professionals, we understand how easy it is to find ourselves at the mercy of a cracker. But what about the business we support? Surely there are policies in place that would insure that a business user would not use P2P on their corporate asset. But does that policy really stop them? And how about all of the people that your company does business with. How do you regulate what they are able to do with YOUR company information? With awareness about the need for security growing, P2P may be the invisible attack vector. Many people using P2P are unsure of how to correctly configure the client so simply accept the installation defaults. And that may be the beginning of the problem as default installations tend to point at the "My Documents" folder on Windows. How do you face this growing problem?

Tony Hopkinson
Tony Hopkinson

There are several good uses for it businesswise, more are being thought up. Don't confuse content with protocol, by your lights you should be blocking port 80, because of all the nasties out in webland. Engage you brain, contribute, or something. There are things P2P can do that no other method manages to do anywhere near as efficiently, so if you don't do it and a competitor does..... P2P is not Kazaa, Kazaa is a P2P application, a nasty 'orrible one, but no worse a vector than say IE4. So without this discussion, when the boss comes up and says I want you to use P2P to do this, what are you going to do, ask him to sack himself, for being a clueless incompetent. Good luck with that!

TrueDinosaur
TrueDinosaur

Must be nice to be so overstaffed that eliminating 12 people did not hurt the organization too much.

Tig2
Tig2

But how to you manage information that goes outside of the corporate firewall? Or that is saved to a consultant's personal machine? I would think that those would still be places that there might be holes. Unless you have a sanitization requirement for data that goes outside of the firewall? One of the citations mentions Pfizer. An employee's spouse installed P2P on the work laptop and facilitated the loss of HR data stored on the machine. It should never have happened, but it did.

Timbo Zimbabwe
Timbo Zimbabwe

"As much as compnies will not want to admit it, even with policies in effect against such use, it will most likely be happening." Corporate firewall stops this from within. If a laptop user somehow gets admin access to their PC, they might get it on there... but group policy will remove their admin access the next time they log on and the audit tool will find the P2P executable and delete it, rendering that security hole useless.

richard.gardner
richard.gardner

You seem to be implying that cutting off P2P at the firewall is in some way difficult? I don't understand this at all, if a company allows P2P traffic they deserve all the viruses and data loss they get. This is a pathetic article, no IT manager worth anything would allow P2P sharing on a commercial network, regardless of size. Please write about something useful.

PhilippeV
PhilippeV

In the article TiggerTwo affirms : the beginning of the problem as default installations tend to point at the "My Documents" folder on Windows. This is completely wrong! And because the author of this article exhibits LimeWire as an example, there's strong evidence that she did not even try to do it in LimeWire: LimeWire does NOT share this folder by default. The user needs to share it explicitly, or share one of its containing parent folders. In both cases, LimeWire will strongly inform the user that he may be sharing sensitive personal data. The user is informed at least at two successive levels, and the complete list of files that are being shared is also listed. So the problem is not in the program itself but about the user that knowledgely shares folders that he should not. Blame users if they violate their corporate environment requirement using P2P programs, they cannot say they do that without an explicit prior consent nad desire to violate these rules. P2P progrms do not share random folders, and by default they also restrict into sharing only media files, excluding most file types that may be sensitive. What an a program do to prevent users to misuse it on purpose? Nothing. And the same is true for whatever file sharing program is used, including non-P2P ones: there's exactly the same risk with file sharing in instant messaging programs, including Microsoft ones; and the first file sharing program comes preinstalled on most PCs: it is Windows itself, and it is still the major way through which corporate and personnal files are exposed and stolen WITHOUT even informing the user about which files are exposed and actively transfered! P2P programs are in fact much safer to use than default file sharing programs bundled with Windows, because of their visible monitoring of what they are sharing and transfering at any time.

jeffro in Berkshire
jeffro in Berkshire

Firstly all traffic should be blocked at the firewall less ports required for business traffic! your users are at work or working! The use of business equipment for home use or home equipment for business should be legislated through IT Policy and failure to comply a sackable offence (I have already on occasion had to use this method to "beat" the users into submission - metaphorically of course). Basically only use business equipment for business use. You could always explain to the user if they use their own equipment then IT will need to look at it every so often - how will they feel about that? after all your responsibility is for your data and the protection of it. In the UK we already have responsibility under Data Protection Act and Health and Safety Rules for ensuring the compliance of Data/Worker safety so as part of the ability to access work from home facility place a business class router with VPN capabilities and prevent the user from accessing the internet except via the business, which of course will already have the limitations in place. Secondly P2P only really works if there are multiple sites with the same data so to use this method within business to distribute things like Plans, audtits, designs etc doesn't work especially as your generally distributing to a number of sites at the same time. Thirdly, what happened to a plain and simple FTP server or uploading the file (encrypted of course) to an bona fide online service and distributing the link? Obviously there is more to this but many of you are already experienced in such things! Educating users has its place and using analogies to simplify the reasons may help. Ask the users would they allow their PRIVATE information to be seen by all and sundry - when they answer no, ask them why then do they expect to do so with the company data which keeps them in work. The business as a whole, both physically and its users, need to accept that your restrictions are for the benefit of them and not because you are some derranged control freak (though some of us do fall into that category!). As a rule you dont go to the Doctor for a consultant and then question his diagnosis so why question the motives of IT. We all have our respective specialities and all need to repect that there are going to be reasons one way or another why the job is carried out the way prescribed. While I accept some of my thoughts can be authoritarian (I am ex-military) we work in an environment of 0's and 1's - YES and NO - the maybe sometimes is not a variable YET. I obviously have it easier than most having gained much of my experience in the military where yes and no mean just that and now run my own organisation (over 6 years now) with my own little dictatorial ways and do explain the same as most of you all to the organisations I carry out work for the reasons why I RECCOMMEND you dont do it. BUT at the end of the day the employer does need you to stand up and say why they should not do it "cos" if you dont "sods law" states it will be you who gets the sack when the crap and the fan have a close encounter! Good Luck and thanks for reading to the end of the rant!

chris_thamm
chris_thamm

When P2P becomes the "best" or "most efficient" way of conducting your business, you need to take a serious look at your business model. P2P was initially developed to enable the casual exchange of files -- in many cases the (illegal) exchange of music and software. It may "only" be a protocol; however, it is in inherently insecure one. I cannot speak for your boss. However, I can say that mine is competent enough to 1) recognize the potential security problems using P2P poses, and 2) avoid them completely. Lastly, if you want to block port 80, that's your business; however, I would imagine it would cause many more problems than it would solve. Perhaps you could "engage your brain, contribute" more useful suggestions?

Tom_geraghty
Tom_geraghty

P2P is just another protocol, blocking it outright doesn't make sense. In our (small) organisation, we have AV that does a very good job of blocking and getting rid of nasties and unwanted apps, our audit software will let me know if limewire or something has been installed on a laptop, and our policy informs users that mass client data should not be saved on mobile devices. Some client data has to be of course, otherwise how could an employee ring a client from their mobile phone? That phone could easily be stolen or lost, and even with security on the device, the client's contact details are vulnerable. The point being that the business need exceeds IT's need for control and protection. As for sacking 12 staff just to make the point that non-compliance with IT policy won't be tolerated, well, that doesn't sound like a company i want to work with!

chris_thamm
chris_thamm

I think you're missing the point here. We took the time to look at the "IT behaviours" of the 12 people that were let go. Every last one of them was a significant cause of technical -- and other -- problems. People that do not understand and/or refuse to accept that a company computer is just that -- a COMPANY computer -- are going to, in the end, be a source of problems. Further, the staff was clearly and unmistakeably informed well ahead of time that this policy would go into effect. Very few people were surprised to hear about the firings. And lastly, we had little to no trouble replacing the staff we let go -- there are currently a significant number of qualified, hungry programmers out there. Incidentally, the 12 replacements do not seem to have a problem with adhering to company policy.

serrin
serrin

I hear that. Too many high horses out there who apparently control company policies from the IT department. I wish that were always the case, but it's not. I see this often in manufacturing where the labor and cost of operation to produce a product out weight IT spending. This can limit your options on choices of software, hardware that can be used for firewalling and auditing your network. Another problem is companies who's leadership doesn't understand what's really entailed in network security, but still make decisions about IT based on price and not on cost of ownership or risk management. I'm happy for all you folks who get to make the rules, but that isn't so for everyone.

Forum Surfer
Forum Surfer

We block P2P traffic through net appliances and packet shapers. Overkill, but you can never be too cautious. On our laptops, no one is given admin rights ever. We forbid the use of any app that requires storing sensitive data locally, neccisitating the use of VPN on the laptop. With the use of Cisco's WebVPN we have ploicies in place to prevent saving files to the local machine. I could still see where people could work their ways around all these policies and manage to save a sensitive file locally and have a potential breech if they managed to get thiss off their corporate laptop and onto their personal pc. The most we can do is have an effective police, above and beyond security standards and thoroughly instruct the user regarding data loss prevention/security standards. Personally I try to at least have enough security in place the user has to go above and beyond to get data in a position to be compromised, then the blame can be placed soley on that person. The only way to keep things truely secure is to get rid of mobile devices and VPN all together, which isn't happening anytime soon. Even then the user will always seek ways to circumvent IT and their evil ways, lol.

Neon Samurai
Neon Samurai

There was a discussion just last week on legal reasons for Bittorent. You might find that it is a rather popular p2p protocol with many legal business and home uses. I've seen networks that are downright scary but the business made the decisions and the IT people can only support those decisions as safely as possible. Sure, blocking the protocol at the firewall is one way; this is another way. If your business users have a valid business need for p2p transfers then it's your job as "IT manager worth anything" to support the business needs. Let's say it all together; IT supports the business needs. Business does not reduce itself to the IT limitations.

wolfshades
wolfshades

What makes you think company IT assets always sit behind a firewall? What if, for example, employees work from home and access their business via VPN? What happens when they disconnect their VPN session and fire up their P2P client without the benefit of restricted access? This is a real threat and needs to be examined by all, in my opinion.

richardpalcock
richardpalcock

great attitude Richard ... putting your head in the sand and stating something shouldnt happen doesnt mean it wont happen. The fact is that in balancing a secure corporate environment with flexibility and autonomy of employees (e.g. permitting them to use the corporate laptop for entertainment when travelling) corporations have to weigh up the risks of not fully locking down assets. In some cases user education may be sufficient and fully locking down an asset not appropriate. It maybe that corporations decide to permit users to install an app/game or 2 but not authorise P2P clients for example.

chuck.wilkins
chuck.wilkins

Actually this brings to light a very good point. Not all vendors are a commercial site or have an IT manager much less a staff. What if they are a small 4 person consulting group. They have your information and it gets shared with the entire Internet community. The Contract Agreement Manger must make sure the clause is in the contract. This acticle was about liability and what to do to protect yourself when a contracted third party allows your sensitive data to be shared. Nice of you to judge what is useful and what is not.

mhbowman
mhbowman

1. Block unwanted executables at the firewall. 2. Scan network for unwanted executables on PCs. 3. Implement Zero tolerance policy. 4. Problem solved.

Tig2
Tig2

That while the company may not allow it, it can and does happen. It appeared that the common attack vector was people installing P2P at home on the corporate asset. The other vector mentioned was consultants that use their own equipment on the corporate network. I know of two companies that lock down the corporate asset but allow consultants to bring in their own equipment and use the network. I agree, this SHOULDN'T happen in the corporate world. But the fact is that it does. And unless we have an awareness that it does, we are leaving the business vulnerable.

Tig2
Tig2

I very clearly credited InformationWeek. Avi Baumstein DID do the experiment and carefully documented his findings. I reported what he found. From Information Week: "It's doubtful that so many people were sharing such sensitive files on purpose. More likely, the users, or even their children, had installed a P2P program to download music or a TV show, and clicked "OK" to all the questions during the install process. One of those questions is which folder to share files from, and often the default is the Windows My Documents folder. The result was plain-- and in many ways worse than the lost laptops that have made so much news, because the files are available to the entire world and leave no trace when they're taken. If my sampling is any indication, it's clearly time to add P2P file sharing to your list of security threats." The citation link is in the article. The issue is not whether LimeWire is a good tool or if P2P sharing is a good idea. The point was to educate yourself on a potential vector for data loss. The fact that Avi was able to mine sensitive data and even locate an aggregator is proof that sharable file types are not restricted to media files. And the fact that Pfizer has experienced data loss as a direct result of P2P is clearly indicative that this loss vector should be a concern.

Dumphrey
Dumphrey

Micro-managing GM, no budget, price is ALWAYS the first concern, no support contracts purchased ever..... I have to know/do it all. God bless google (even as I despise it..)

Forum Surfer
Forum Surfer

Someone send me a cold beer via p2p once I get home on my own network. :)

Neon Samurai
Neon Samurai

My focus is still to consider the functional need above the brand of software the user requests. a peer based protocol may support the function though if there is a better solution, that's the key. Users going around IT restrictions was more for times when the user function is required but IT fails to provide it by the bad or the good solution. Paygrades related back to one of the other posts that announced in all glory that there zero tolerance policy killed off 12 employees in the first week. I could see that in a military or high security area but if that was a regular business it may be more detrimental than beneficial. That is assuming that the breaches where not sensitive data leaks.

Neon Samurai
Neon Samurai

If the need is met by a different solution as you've found in your cases then your all set and the user's required function is supported. My point all along has simply been to not discount a technology purely on the basis of hearing it mentioned. No one is saying that Kazaa should be a business standard but don't discount other p2p based protocols because of how crappy kazaa is/was.

Forum Surfer
Forum Surfer

To me p2p and bit torrent just don't cut in business networks. I don't blindly block it, I have researched it at length and deem it inappropriate for enterprise use. Wrong tool, wrong job. I share data with many outside sources, that data consisting of huge cad drowaings, databases or simple office docs. People have requested p2p more than once, but it just isn't a viable solution. I doubt seriously they'll find ways around it. If they do so be it. They beat me at my game and I learned something new. They are the ones who will pay the piper in that situation for not adhereing to the guidelines and obtaining a result through proper channels. Richard mentioned metadata, a huge concern for me. Bittorrent and p2p offer end users ease of use, but at the expense of data security and integrity. To me p2p and bit torrent are nothing more than low end home user stuff that people use in very small businesses where better solutions can't be bought or utilized. There are far better solutions out there. And I personally can't fire anyone. I have on several occasions fowarded network policy violations to management/hr in regards to people well above my paygrade. I don't see where that even enters into the picture. Most out of the ordinary requests come from department heads. I'm not going to back down from someone because they are a few notches above me, I could care less. They pay me to provide security and stabilty, which I will do to the best of my ability. If I'm told to go a route I don't reccommend, it is well documented that I object. :)

richard.gardner
richard.gardner

I am sure the primary concern of most IT managers is to ensure to continued stable running of the core business systems. ERP. Full stop. Bit torrent adds no value to these core systems and can very easily have a negative effect on their stability. The only viable use of bit torrent could be file sharing/collaboration, but there are many many other, more useful methods of doing this - does Bittorrent control metadata? No. Does bittorrent allow you to keep control of your data security? No. Sorry, I just don't see it. I think you're just a slave to your users. I didn't go through 5 years of IT education and 10 years industry experience to not know what the most efficient method of achieving a certain task is, you look at any user created system and it is at best usable, it is certainly not supportable, it isn't efficient, it isn't service oriented. USERS DON'T HAVE THE FULL PICTURE. End of story - if you allow them to browbeat you into doing what they want then you're not doing your job. You should listen to their requirements and come up with a viable solution which satisfies the whole spectrum of IT issues, because they sure as hell haven't considered them.

Neon Samurai
Neon Samurai

I'm all for the better solution to fit a business need and while I wish business bent to the limitations of IT, it's just not so. I've actually had to tell that to business managers that wanted to change the business to fit the IT structure. If a p2p protocol makes the better sense for a specific business need then IT needs to at least learn about the applications available and figure out how to do it safely. Simply saying "oh, it's a p2p.. block it" whithout looking into why the end user wants that in place doesn't help. This also assumes your users don't mistake getting there ipods stocked or updating there work machine hosted porn stash is a business related need. Limewire or Kazaa.. I'm going to be a hard sell too. Bittorent properly configured with a valid business use; I'm listening. If all you do is blindly block what doesn't sound good at a distance then the user will find ways around that and eventually, get above your pay grade and can't fire the offender outright.

Forum Surfer
Forum Surfer

With all the "bad things" floating around on bit torrent sites (not to mention the horrendous bandwidth consumption) and P2P I can not allow it when there are other means to accomplish the same goal. It just so happens bittorent and P2P are the latest fad and in most instances free so the end user thinks they make wonderful sense. From a bandwidth stadpoint alone, I won't allow it unless management grants me more money for a bigger pipe to the outside world. (God that really sucks saying that one out loud, I hate IT terminology lol) If the user wants to share data with someone outside of the network (the only way such protocols would be viable), it is up to us to determine the best way possible. Aside from that, IT needs to determine if the file sharing is in line with our network policy and our legal department. If the user still insists then they'll have to go to management, who at this point would be aware of the situation. IMO we provide end results, not let the end user decide what path to take...after all, they don't always have to worry about the corporate security policies and the bigger picture.

wolfshades
wolfshades

I think you've hit the nail on the head here. I've seen too many managers look at technology as the answer to all of their problems. In the end, you have to manage your employees - such is the case here. Make the use of P2P software grounds for dismissal. No exceptions. I mean, if the data is that critical, it's worth protecting right?

richard.gardner
richard.gardner

There are two issues here as I see it. First of all P2P is just a honeypot of viruses and trojans. So, first issue, what if the employee downloads a file and it is stolen by some nefarious trojan? Well P2P has very little to do with this problem, it is still a virus/trojan detection issue. The second issue seems to be as a distribution method for stolen data. Well P2P isn't the problem here, it's trusting people who can't be trusted. Doesn't matter if they have P2P or not, they can steal it 101 other ways. I agree home working is a real pain in the backside, I think the only foolproof solution for this is to boot the whole OS from USB (personally I control the home security system, firewall, virus scanner, NAT and use two factor authentication), but I think this is a different issue, of which P2P is simply one issue from thousands. Anyone who is working in a small company of consultants should pay for professional advice if they don't know enough to deal with it, they have an obligation to their clients, running P2P software on a network with client data on it is just irresponsible. Can I suggest a new topic - "How to deal with idiotic staff"???

Forum Surfer
Forum Surfer

Instant messaging? Done, we have an internal messenger that doesn't use p2p. No clients reside outside except through VPN. need to contact a client regularly not on our network? They sign a policy agreement and are issued a VPN account, carefully configured and monitored. Outside of that use the original IM client, email. Service like skype? We have company purchased soft phones if someone needs it. It's a better solution as it also allows internal four digit dialing and all of our phone switches conference call/call list features. Install that in conjunction with vpn on a laptop and you have your office to go with no el-cheapo skype solution. Sorry, Skype can't match Cisco's capabilities in this arena. No personal clients like skype allowed. If it's worth doing, it's worth doing right and spending the cash on it. There is always a better way than p2p apps. I look into each case where there is a request and find a more viable solution. P2P apps always seem to end up being cheaper and easier to setup, not mention easier for the end user. But they are also second rate when compared to professional enterprise solutions as far as security, options and managable scalability are concerned. So I have never personally seen where a p2p app makes the better business arguement other than being cheaper in inital use. Not to mention that if the p2p clients should be dependant on the internet, you lose all that functionality if you lose your ISP. If my ISP dissappears in a disaster, I still have full internal functionality to run mission critical apps...and we play a vital role in providing service/data for EMS so this is a big factor for me. Lose your internet connection due to a severe storm and no more internal IM's through the clients you mentioned or skype phone. Whereas the solution I provide to my end user will continue to work. P2P in my opinion belongs best in small business enviroments or home use. If liabilty, availability and data security are paramount there are better solutions.

Jaqui
Jaqui

they don't understand the concept of a serverless network that uses ppp(oe) to continually change the network routing table.

Jaqui
Jaqui

to reconfigure those apps you REQUIRE that use upnp to work differently, so that you can turn upnp off to stop the p2p apps, which also use upnp toget past firewalls. you can't forget to remove / block msm, yim, skype, icq ... afteall these communication apps all have p2p functionality.

Forum Surfer
Forum Surfer

I was simply pointing out ways to keep yourself covered...which is what we all want to achieve. Keeping your network as secure as possible is what we're all after, but everyone needs to factor in the weakest link (the end user) and account for that, as well.

PLWarrior
PLWarrior

The breach might not be your fault, but it's still be your data out in the wild. All the agreements, disclaimers, releases, etc., in the world are great for pointing fingers and assigning blame after the breach happens. I think the writer is trying to bring awareness to an issue that has happened and is happening in the corporate landscape. If you're covered, then it wasn't written for you.

Forum Surfer
Forum Surfer

Data cannot be shared with our vendors unless they sign a release agreement. At that point, they need to meet our security standards or we don't do business. Plus if there is a breach on their end, it's exactly that...their end, not my fault. The position (not my position, I'm just one of the dumb IT people with all their crazy rules) of the company I work for makes it easy for me to dictate guidlines like those. I could see where this might be a little unrealistic for small businesses. CYA at it's finest. :)

Tig2
Tig2

Data that is shared with your vendors? How do you regulate in that instance? Personally, I hope it IS as easy as you say. The last thing we need is yet another way for PPI to get out into the wild.

Dumphrey
Dumphrey

this brings up the point of NAC. If the attack vector is a movable asset (laptop) then it can only have access control through a local firewall and company firewalls while on premise. When they take it home, its outside our control. And while they should only have regular user permissions, we all know how easy that is to get around if in physical possession of the computer. NAC would then step up to the plate and force such assets to have up to date av scans, and definitions, as well as ensuring P2P software gets uninstalled before the asset is allowed to access the company network. This is by no means 100%, but it does add another layer of checks and mitigation to the risk.

rm.squires
rm.squires

It also depends on what technology it is based on. For example; Bit torrent needs a small file called a torrent to desinate the files which are to be uploaded/downloaded. I also must point out that several viruses have emerged where (no matter what the technology used) use P2P programs to take control/access a persons computer. P2P is great for decentralised sharing but like everything else it has it's problems. Thanks for pointing out that article.

Editor's Picks